The information gives insight into how the Commission is likely to tackle future cases, said Singapore-based Bryan Tan of Pinsent Masons, the law firm behind Out-Law.com.
The PDPC gave details of nine cases where companies were fined or warned for failure to comply with the data protection provisions of the Personal Data Protection Act (PDPA).
The largest fines, of SIN$50,000 ($37,100) and SIN$10,000, were imposed on K Box Entertainment Group and its data intermediary Finantech Holdings for "failing to implement proper and adequate protective measures to secure its IT system", resulting in the unauthorised disclosure of the personal data of 317,000 K Box members, the PDPC said.
K Box failed to effectively manage its vendor, Finantech, to ensure that it undertook adequate measures to protect members’ personal data, the PDPC said.
"This is the first time the PDPC has released decisions on breaches other than of the Do Not Call provisions and the decisions indicate what approach it will take in future," Tan said.
"For instance, where vendors are involved, the vendors could be classified as intermediaries and subject to the protection obligations under the PDPA. Where the breach involves a significant number of data subjects and information of a sensitive nature, fines would be levied. We note, too, that the PDPC carried out enforcement action in terms of warnings where the breaches were less significant, such as not ensuring a computer screen with personal data was obscured from public view," Tan said.